Is VOIP safe? Can VOIP be hacked? Find out why VOIP security is important and the best practices for your business to consider with our guide.
Voice over IP systems handle critical communications functions such as business calls, conferencing, chat, and voicemail over on-premises or cloud-based environments. These systems have proven especially useful as remote workers gain momentum, as they are often not tethered to traditional landlines and can be used from any internet connection.
TO SEE: Mobile device security policies (Tech Republic Premium)
However, as with any technology that businesses depend on, there are security risks associated with it VOIP that companies need to be aware of to protect their operations, employees and data.
Why is VOIP security important?
Security is important for any system used to conduct business operations. It’s not just a matter of protecting company confidential data from falling into the wrong hands, but any disruption or impact to services and resources can disrupt business operations, reduce staff productivity and potentially damage the company’s reputation.
What are common VOIP security risks?
Scammers and cybercriminals are the most ominous threats in the VOIP landscape. On a direct level, VOIP systems can be hacked if they are inappropriately insecure or vulnerable, giving these malicious actors the keys to the kingdom, so to speak. Data can be stolen instantly or calls can be tapped to obtain sensitive information. A compromised VOIP system can be used for malicious purposes, wasting company resources and reducing the availability of services for legitimate users.
Distributed denial of service attacks are a typical threat, targeting massive amounts of Internet traffic to target VOIP systems to disrupt their functionality, followed by a ransom demand to stop the attack in exchange for payment.
On an indirect level, malware is another typical risk for VOIP activities. Malware can exploit vulnerabilities or improperly secured systems, so human intervention is not immediately necessary to carry out such an attack.
Direct or indirect access is not necessarily necessary to use VOIP to carry out fraudulent activities. While traditional “POTS” (Plain Old Telephone Systems) communications were just as vulnerable to people misleading unsuspecting call recipients with gimmicks and scammers’ attempts to lure money transfers, reveal personal information or credit card numbers, phishing calls remain a common threat .
In these scenarios, recipients are often tricked into thinking their accounts have been compromised or show signs of suspicious activity, and the caller then demands to verify these accounts by obtaining confidential information from the recipient.
Spam is also a common problem. Technology allows spammers to send untold amounts of automated messages to various systems or spoof a local number to trick recipients into answering calls and subjected to a marketing pitch.
Top 9 best practices for VOIP security
1. Provide clear and comprehensive documentation that is prepared and kept up to date
It is impossible to protect an environment that is not clearly defined. Keep track of all internal or external systems that VOIP relies on, as well as end-user devices (including smartphones) and the software involved. Ensure that all licenses, support information, and vendor contact information are updated and made available to the appropriate personnel so that security incidents can be quickly addressed and scale of impact determined.
2. Use end-to-end data encryption
All services using VOIP must include encryption, both on information in transit (e.g. phone calls or conference activity) and at rest (e.g. voicemails and chat history).
3. Use segmented subnets, firewalls and network address translation for on-premise equipment
Place all VOIP systems on dedicated subnets with access to a firewall that allows only appropriate traffic through the bare minimum of ports involved. By using network address translation so that all traffic relies on a public-to-private IP address, internal systems can be protected from attack, as only necessary access is allowed for VOIP functionality.
4. Require the use of complex passwords and multi-factor authentication for all VOIP-related devices
By tightening access to VOIP devices, they can only be used by the right personnel and unauthorized persons cannot access them if they are lost or stolen. Remote device management tools are also highly recommended as they can ensure compliance, locate devices, or wipe them completely.
Choosing complex passwords can be a daunting task, but tools like password managers which can create and store customizable passwords makes this process much easier.
5. Keep all VOIP software updated regularly
All software updates, whether to VOIP systems or end-user devices, should be applied as they become available to ensure the best security and functionality across the board.
6. Apply all security hotfixes, patches, and firmware updates
IT personnel should subscribe to VOIP vendor alerts and security bulletins to ensure that the latest hotfixes, patches, and firmware are routinely applied to prevent exploitation of vulnerabilities and ensure VOIP security compliance.
7. Regularly test your VOIP systems for security vulnerabilities
Whether you run it in-house or hire an outside resource, you should run penetration tests against your VOIP environment to make sure all hatches are properly closed. Also consider using a DDOS security service for large-scale, enterprise-class systems, which would cause massive disruption to use if attacked.
8. Discourage the use of public Wi-Fi for VOIP devices
Public Wi-Fi can pose a real risk to end-user devices operating over these networks, as traffic can be eavesdropped or vulnerabilities exploited in real time. Employees should only use secure, private Wi-Fi or use a VPN over known reliable public Wi-Fi networks (such as a family member’s home instead of a coffee shop).
9. Train your employees how to respond to (attempted) security breaches
All of the above protections are useless without user training. The most tightly locked VOIP device can still lead to a data breach if a user is convinced to hand over security-sensitive information or allow access to an attacker masquerading as a legitimate IT resource.
Provide training to employees to teach them how to:
- Recognize and report phishing attacks. End users should ensure that any attempted contact by someone claiming to be from the IT department is legitimate (for example, look them up in the address book or make sure they use secure company resources to communicate), otherwise report the incident to the IT hotline.
- Recognize potentially threatening environments where devices can be stolen, such as airports, train stations, and hotels, and secure devices accordingly.
- Recognize anomalies in device behavior, such as extreme slowness or suspicious activity.
- Report any attempted or successful breaches to a source that is separately available from any potentially compromised VOIP device (for example, a company website or phone number).
- Do not allow non-company personnel to use VOIP devices for any reason.
If you use VOIP devices in a BYOD environmentmake sure they are securely erased and/or handed over to the IT department to confirm that no further VOIP functionality exists before disposing of them.
